How do you know if you’re securely surfing the Web? Unfortunately, there’s no way to be a hundred percent sure with so many bad actors out there spreading malware and banging on network and software defenses in hopes of exploiting a security hole.
One approach taken by security researchers is to identify security issues as quickly as possible in hopes that the release of the information will lead to a speedy resolution or fix of the problem. But not everyone agrees such a disclosure policy is wise, especially when it makes vulnerabilities public that weren’t otherwise widely known, if at all. eSecurity Planet reports on a controversy between Google and Microsoft involving a new tool that identifies browser vulnerabilities.
A Google researcher released a fuzzing tool for finding security vulnerabilities in Internet Explorer (IE) on New Year
’
s Day, claiming that he first notified Microsoft of the tool
’
s existence in July. Additionally, the fuzzer, called cross_fuzz, identified what appears to be a newly-found zero-day security bug.
Microsoft’s (NASDAQ: MSFT) lack of response to his contact last summer, until just days before the actual release of the fuzzer, was a deciding factor in Google (NASDAQ: GOOG) security researcher Michal Zalewski’s decision to make the tool available publicly, Zalewski said in a post to his personal blog and to the Full Disclosure security e-mail list Saturday.